From: Andy Lutomirski <luto@amacapital.net>
To: Andrey Vagin <avagin@openvz.org>
Cc: Andrew Vagin <avagin@odin.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
Oleg Nesterov <oleg@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
Cyrill Gorcunov <gorcunov@openvz.org>,
Pavel Emelyanov <xemul@parallels.com>,
Roger Luethi <rl@hellgate.ch>, Arnd Bergmann <arnd@arndb.de>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
David Ahern <dsahern@gmail.com>,
Pavel Odintsov <pavel.odintsov@gmail.com>
Subject: Re: [PATCH 0/24] kernel: add a netlink interface to get information about processes (v2)
Date: Wed, 8 Jul 2015 16:48:22 -0700 [thread overview]
Message-ID: <CALCETrWcgJmZTwW9n5rNPSDXjtUZHg4nBi+f6B7TgjoUf6KHpg@mail.gmail.com> (raw)
In-Reply-To: <CANaxB-yMKGWJ1r0GMR9VfAq_xHn6bTjYmkDXST4suNNqu4GVjA@mail.gmail.com>
On Wed, Jul 8, 2015 at 3:49 PM, Andrey Vagin <avagin@openvz.org> wrote:
> 2015-07-08 20:39 GMT+03:00 Andy Lutomirski <luto@amacapital.net>:
>> On Wed, Jul 8, 2015 at 9:10 AM, Andrew Vagin <avagin@odin.com> wrote:
>>>
>>> As far as I understand, socket_diag doesn't have this problem, becaus
>>> each socket has a link on a namespace where it was created.
>>>
>>> What if we will pin the current pidns and credentials to a task_diag
>>> socket in a moment when it's created.
>>
>> That's certainly doable. OTOH, if anything does:
>>
>> socket(AF_NETLINK, ...);
>> unshare(CLONE_PID);
>> fork();
>>
>> then they now have a (minor) security problem.
>
> What do you mean? Is it not the same when we open a file and change
> uid and gid? Permissions are checked only in the "open" syscall.
>
> [root@avagin-fc19-cr ~]# ls -l xxx
> -rw-r--r-- 1 root root 5 Jul 9 01:42 xxx
>
> open("xxx", O_WRONLY|O_APPEND) = 3
> setgid(1000) = 0
> setuid(1000) = 0
> write(3, "a", 1) = 1
> close(1) = 0
Yes and no.
open(2) is supposed to return an fd that retains the access to the
file that existed when open(2) was called. socket(2) is supposed* to
capture the access to the netns that existed at the time it was
called, but capturing access to a userns and/or pidns is new.
If you added socket(AF_NETLINK, SOCK_DGRAM, NETLINK_PIDNS), then maybe
that would work, but the userns interaction is a bit odd. OTOH every
pidns has an associated userns, so you could just use that. I don't
know whether that would annoy someone.
* There's some question as to whether socket(2) or connect(2) should
do this, but connect handling in netlink is quite broken and iproute2
relies on the broken handling. The historical behavior was different,
too, but the old behavior was exploitable. I have a cute little
program that does 'ip set dev lo down' but doesn't need to be run as
root :)
--Andy
WARNING: multiple messages have this Message-ID (diff)
From: Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
To: Andrey Vagin <avagin-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>
Cc: Andrew Vagin <avagin-wo1vFcy6AUs@public.gmane.org>,
"linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Andrew Morton
<akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>,
Cyrill Gorcunov
<gorcunov-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>,
Pavel Emelyanov <xemul-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>,
Roger Luethi <rl-7uj+XXdSDtwfv37vnLkPlQ@public.gmane.org>,
Arnd Bergmann <arnd-r2nGTMty4D4@public.gmane.org>,
Arnaldo Carvalho de Melo
<acme-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
David Ahern <dsahern-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
Pavel Odintsov
<pavel.odintsov-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Subject: Re: [PATCH 0/24] kernel: add a netlink interface to get information about processes (v2)
Date: Wed, 8 Jul 2015 16:48:22 -0700 [thread overview]
Message-ID: <CALCETrWcgJmZTwW9n5rNPSDXjtUZHg4nBi+f6B7TgjoUf6KHpg@mail.gmail.com> (raw)
In-Reply-To: <CANaxB-yMKGWJ1r0GMR9VfAq_xHn6bTjYmkDXST4suNNqu4GVjA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
On Wed, Jul 8, 2015 at 3:49 PM, Andrey Vagin <avagin-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org> wrote:
> 2015-07-08 20:39 GMT+03:00 Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>:
>> On Wed, Jul 8, 2015 at 9:10 AM, Andrew Vagin <avagin-wo1vFcy6AUs@public.gmane.org> wrote:
>>>
>>> As far as I understand, socket_diag doesn't have this problem, becaus
>>> each socket has a link on a namespace where it was created.
>>>
>>> What if we will pin the current pidns and credentials to a task_diag
>>> socket in a moment when it's created.
>>
>> That's certainly doable. OTOH, if anything does:
>>
>> socket(AF_NETLINK, ...);
>> unshare(CLONE_PID);
>> fork();
>>
>> then they now have a (minor) security problem.
>
> What do you mean? Is it not the same when we open a file and change
> uid and gid? Permissions are checked only in the "open" syscall.
>
> [root@avagin-fc19-cr ~]# ls -l xxx
> -rw-r--r-- 1 root root 5 Jul 9 01:42 xxx
>
> open("xxx", O_WRONLY|O_APPEND) = 3
> setgid(1000) = 0
> setuid(1000) = 0
> write(3, "a", 1) = 1
> close(1) = 0
Yes and no.
open(2) is supposed to return an fd that retains the access to the
file that existed when open(2) was called. socket(2) is supposed* to
capture the access to the netns that existed at the time it was
called, but capturing access to a userns and/or pidns is new.
If you added socket(AF_NETLINK, SOCK_DGRAM, NETLINK_PIDNS), then maybe
that would work, but the userns interaction is a bit odd. OTOH every
pidns has an associated userns, so you could just use that. I don't
know whether that would annoy someone.
* There's some question as to whether socket(2) or connect(2) should
do this, but connect handling in netlink is quite broken and iproute2
relies on the broken handling. The historical behavior was different,
too, but the old behavior was exploitable. I have a cute little
program that does 'ip set dev lo down' but doesn't need to be run as
root :)
--Andy
next prev parent reply other threads:[~2015-07-08 23:48 UTC|newest]
Thread overview: 90+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-06 8:47 [PATCH 0/24] kernel: add a netlink interface to get information about processes (v2) Andrey Vagin
2015-07-06 8:47 ` Andrey Vagin
2015-07-06 8:47 ` [PATCH 01/24] kernel: define taststats commands in the one place Andrey Vagin
2015-07-06 8:47 ` Andrey Vagin
2015-07-06 8:47 ` [PATCH 02/24] kernel: add a netlink interface to get information about tasks (v2) Andrey Vagin
2015-07-06 8:47 ` Andrey Vagin
2015-07-06 8:47 ` [PATCH 03/24] kernel: make taskstats available from all net namespaces Andrey Vagin
2015-07-06 8:47 ` Andrey Vagin
2015-07-06 8:47 ` [PATCH 04/24] kernel: move next_tgid from fs/proc Andrey Vagin
2015-07-06 8:47 ` Andrey Vagin
2015-07-06 8:47 ` [PATCH 05/24] task_diag: add ability to get information about all tasks Andrey Vagin
2015-07-06 8:47 ` Andrey Vagin
2015-07-06 8:47 ` [PATCH 06/24] task_diag: add ability to split per-task data on a few netlink messages Andrey Vagin
2015-07-06 8:47 ` Andrey Vagin
2015-07-06 8:47 ` [PATCH 07/24] task_diag: add a new group to get process credentials Andrey Vagin
2015-07-06 8:47 ` Andrey Vagin
2015-07-06 8:47 ` [PATCH 08/24] proc: pick out a function to iterate task children Andrey Vagin
2015-07-06 8:47 ` Andrey Vagin
2015-07-14 18:02 ` Oleg Nesterov
2015-07-14 18:02 ` Oleg Nesterov
2015-07-17 15:57 ` Andrew Vagin
2015-07-17 15:57 ` Andrew Vagin
2015-07-18 21:22 ` Oleg Nesterov
2015-07-18 21:22 ` Oleg Nesterov
2015-07-06 8:47 ` [PATCH 09/24] proc: move task_next_child() from fs/proc Andrey Vagin
2015-07-06 8:47 ` Andrey Vagin
2015-07-06 8:47 ` [PATCH 10/24] task_diag: add ability to dump children (v2) Andrey Vagin
2015-07-06 8:47 ` Andrey Vagin
2015-07-06 8:47 ` [PATCH 11/24] task_diag: add a new group to get task statistics Andrey Vagin
2015-07-06 8:47 ` Andrey Vagin
2015-07-06 8:47 ` [PATCH 12/24] task_diag: add a new group to get tasks memory mappings (v2) Andrey Vagin
2015-07-14 18:08 ` Oleg Nesterov
2015-07-14 18:08 ` Oleg Nesterov
2015-07-15 2:02 ` David Ahern
2015-07-15 2:02 ` David Ahern
2015-07-06 8:47 ` [PATCH 13/24] task_diag: shows memory consumption for " Andrey Vagin
2015-07-06 8:47 ` [PATCH 14/24] task_diag: add a marcos to enumirate memory mappings Andrey Vagin
2015-07-06 8:47 ` [PATCH 15/24] proc: give task_struct instead of pid into first_tid Andrey Vagin
2015-07-14 18:11 ` Oleg Nesterov
2015-07-06 8:47 ` [PATCH 16/24] proc: move first_tid and next_tid out of proc Andrey Vagin
2015-07-06 8:47 ` [PATCH 17/24] task_diag: add ability to dump theads Andrey Vagin
2015-07-06 8:47 ` Andrey Vagin
2015-07-06 8:47 ` [PATCH 18/24] task_diag: add ability to handle one task in a continious mode Andrey Vagin
2015-07-06 8:47 ` [PATCH 19/24] task_diag: Add option to dump all threads for all tasks Andrey Vagin
2015-07-06 8:47 ` [PATCH 20/24] task_diag: Only add VMAs for thread_group leader Andrey Vagin
2015-07-14 17:47 ` Oleg Nesterov
2015-07-14 17:47 ` Oleg Nesterov
2015-07-15 2:01 ` David Ahern
2015-07-15 13:31 ` Oleg Nesterov
2015-07-15 13:31 ` Oleg Nesterov
2015-07-06 8:47 ` [PATCH 21/24] task diag: Add support for TGID attribute Andrey Vagin
2015-07-06 8:47 ` [PATCH 22/24] Documentation: add documentation for task_diag Andrey Vagin
2015-07-06 8:47 ` [PATCH 23/24] selftest: check the task_diag functinonality Andrey Vagin
2015-07-06 8:47 ` [PATCH 24/24] task_diag: Enhance fork tool to spawn threads Andrey Vagin
2015-07-06 8:47 ` Andrey Vagin
2015-07-06 17:10 ` [PATCH 0/24] kernel: add a netlink interface to get information about processes (v2) Andy Lutomirski
2015-07-07 15:43 ` Andrew Vagin
2015-07-07 15:56 ` Andy Lutomirski
2015-07-07 15:56 ` Andy Lutomirski
2015-07-07 16:17 ` David Ahern
2015-07-07 16:17 ` David Ahern
2015-07-07 16:24 ` Andy Lutomirski
2015-07-07 16:41 ` David Ahern
2015-07-07 16:41 ` David Ahern
2015-07-08 16:10 ` Andrew Vagin
2015-07-08 16:10 ` Andrew Vagin
2015-07-08 17:39 ` Andy Lutomirski
2015-07-08 22:49 ` Andrey Vagin
2015-07-08 23:48 ` Andy Lutomirski [this message]
2015-07-08 23:48 ` Andy Lutomirski
2015-07-07 16:25 ` Arnaldo Carvalho de Melo
2015-07-07 16:25 ` Arnaldo Carvalho de Melo
2015-07-07 16:27 ` Andy Lutomirski
2015-07-07 16:27 ` Andy Lutomirski
2015-07-07 16:56 ` David Ahern
2015-07-07 16:56 ` David Ahern
2015-11-24 15:18 ` Andrew Vagin
2015-11-24 15:18 ` Andrew Vagin
2015-12-03 23:20 ` Andy Lutomirski
2015-12-03 23:20 ` Andy Lutomirski
2015-12-03 23:43 ` Arnd Bergmann
2015-12-14 8:05 ` Andrew Vagin
2015-12-14 8:05 ` Andrew Vagin
2015-12-14 7:52 ` Andrew Vagin
2015-12-14 7:52 ` Andrew Vagin
2015-12-14 22:38 ` Andy Lutomirski
2015-12-15 15:53 ` Andrew Vagin
2015-12-15 15:53 ` Andrew Vagin
2015-12-15 16:43 ` Andy Lutomirski
2015-12-15 16:43 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALCETrWcgJmZTwW9n5rNPSDXjtUZHg4nBi+f6B7TgjoUf6KHpg@mail.gmail.com \
--to=luto@amacapital.net \
--cc=acme@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=avagin@odin.com \
--cc=avagin@openvz.org \
--cc=dsahern@gmail.com \
--cc=gorcunov@openvz.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=pavel.odintsov@gmail.com \
--cc=rl@hellgate.ch \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.